Trivy crashes in some region when scanning --service workspaces

[pritam-yadu]

Description

What did you expect to happen?

What happened instead?

Getting error trivy aws --region ap-east-1 --service workspaces --debug

Error occurred while running adapter for workspaces: operation error WorkSpaces: DescribeWorkspaces, exceeded maximum number of attempts, 3, https response error StatusCode: 0, RequestID: , request send failed, Post "https://workspaces.ap-east-1.amazonaws.com/": dial tcp: lookup workspaces.ap-east-1.amazonaws.com on 172.18.0.10:53: no such h2023-01-12T16:45:32.668+0530

Output of run with -debug:

pyaduvansh@pyaduvanshpc:/mnt/c/Users/pyaduvansh/Documents/GitHub/cspm/source/app/trivy_scanner$ trivy aws --region ap-east-1  --service workspaces 
--debug
2023-01-12T16:45:27.063+0530    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-01-12T16:45:27.063+0530    DEBUG   Timeout is set to less than 1 hour - upgrading to 1 hour for this command.
2023-01-12T16:45:27.064+0530    DEBUG   Looking for AWS credentials provider...
2023-01-12T16:45:27.064+0530    DEBUG   Looking up AWS caller identity...
2023-01-12T16:45:27.548+0530    DEBUG   Verified AWS credentials for account 0782********!
2023-01-12T16:45:27.549+0530    DEBUG   Specific services were requested: [workspaces]...
2023-01-12T16:45:27.554+0530    DEBUG   [defsec] 45:27.554301000 aws-api.scanner.adapt.aws        Using region 'ap-east-1'      
2023-01-12T16:45:27.554+0530    DEBUG   [defsec] 45:27.554662200 aws-api.scanner.adapt.aws        Discovering caller identity...
2023-01-12T16:45:28.601+0530    DEBUG   [defsec] 45:28.601658900 aws-api.scanner.adapt.aws        AWS account ID: 07824*******
2023-01-12T16:45:28.602+0530    DEBUG   [defsec] 45:28.602312800 aws-api.scanner.adapt.aws        Preparing to run for 1 filtered services...      
2023-01-12T16:45:28.602+0530    DEBUG   [defsec] 45:28.602702900 aws-api.scanner.adapt.aws        Running adapter for workspaces...
[1/1] Scanning workspaces...
└╴Discovering workspaces... ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ???% 0/0 ??/s ETA: ??m??s    
2023-01-12T16:45:32.667+0530    DEBUG   [defsec] 45:32.667106000 aws-api.scanner.adapt.aws        Error occurred while running adapter for workspaces: operation error WorkSpaces: DescribeWorkspaces, exceeded maximum number of attempts, 3, https response error StatusCode: 0, RequestID: , request send failed, Post "https://workspaces.ap-east-1.amazonaws.com/": dial tcp: lookup workspaces.ap-east-1.amazonaws.com on 172.18.0.10:53: no such h2023-01-12T16:45:32.668+0530    DEBUG   [defsec] 45:32.668363900 aws-api.scanner                  There were 1 errors during adaption process: failed to run adapter for workspaces: operation error WorkSpaces: DescribeWorkspaces, exceeded maximum number of attempts, 3, https response error StatusCode: 0, RequestID: , request send failed, Post "https://workspaces.ap-east-1.amazonaws.com/": dial tcp: lookup workspaces.ap-east-1.amazonaws.com on 172.18.0.10:53: no such host
2023-01-12T16:45:32.718+0530    DEBUG   [defsec] 45:32.718762500 aws-api.scanner.rego             Scanning 1 inputs...
2023-01-12T16:45:32.719+0530    DEBUG   Writing report to output... 

Output of trivy -v:

Version: 0.35.0

[giorod3]

Hi @pritam-yadu, thank you for reporting, I am investigating this issue.

[giorod3]

Hi @pritam-yadu, I have concluded that the ap-east-1 region is not available for Workspaces or the Workspaces api. The following AWS Document outlines the regions that are currently supported for Workspaces.

https://docs.aws.amazon.com/workspaces/latest/adminguide/azs-workspaces.html

I will close this issue but if you see another bug please do not hesitate to reach back out.

[pritam-yadu]

It's not just ap-east-1. It fails randomly for other regions as well.

[pritam-yadu]

@giorod3 Please find above snippet.

[pritam-yadu]

Looks like workspace is not available in multiple regions. Is there a way we can skip workspace scan in this region?

@giorod3